angr.state_plugins.unicorn_engine¶

class angr.state_plugins.unicorn_engine.MEM_PATCH¶

Bases: Structure

struct mem_update_t

address: Structure/Union member

length: Structure/Union member

next: Structure/Union member

class angr.state_plugins.unicorn_engine.TRANSMIT_RECORD¶

Bases: Structure

struct transmit_record_t

count: Structure/Union member

data: Structure/Union member

fd: Structure/Union member

class angr.state_plugins.unicorn_engine.TaintEntityEnum¶

Bases: object

taint_entity_enum_t

TAINT_ENTITY_REG = 0¶

TAINT_ENTITY_TMP = 1¶

TAINT_ENTITY_MEM = 2¶

TAINT_ENTITY_NONE = 3¶

class angr.state_plugins.unicorn_engine.MemoryValue¶

Bases: Structure

struct memory_value_t

address: Structure/Union member

is_value_set: Structure/Union member

is_value_symbolic: Structure/Union member

value: Structure/Union member

class angr.state_plugins.unicorn_engine.RegisterValue¶

Bases: Structure

struct register_value_t

offset: Structure/Union member

size: Structure/Union member

value: Structure/Union member

class angr.state_plugins.unicorn_engine.VEXStmtDetails¶

Bases: Structure

struct sym_vex_stmt_details_t

has_memory_dep: Structure/Union member

memory_values: Structure/Union member

memory_values_count: Structure/Union member

stmt_idx: Structure/Union member

class angr.state_plugins.unicorn_engine.BlockDetails¶

Bases: Structure

struct sym_block_details_ret_t

block_addr: Structure/Union member

block_size: Structure/Union member

block_trace_ind: Structure/Union member

has_symbolic_exit: Structure/Union member

register_values: Structure/Union member

register_values_count: Structure/Union member

symbolic_vex_stmts: Structure/Union member

symbolic_vex_stmts_count: Structure/Union member

class angr.state_plugins.unicorn_engine.STOP¶

Bases: object

enum stop_t

STOP_NORMAL = 0¶

STOP_STOPPOINT = 1¶

STOP_ERROR = 2¶

STOP_SYSCALL = 3¶

STOP_EXECNONE = 4¶

STOP_ZEROPAGE = 5¶

STOP_NOSTART = 6¶

STOP_SEGFAULT = 7¶

STOP_ZERO_DIV = 8¶

STOP_NODECODE = 9¶

STOP_HLT = 10¶

STOP_VEX_LIFT_FAILED = 11¶

STOP_SYMBOLIC_PC = 12¶

STOP_SYMBOLIC_READ_ADDR = 13¶

STOP_SYMBOLIC_READ_SYMBOLIC_TRACKING_DISABLED = 14¶

STOP_SYMBOLIC_WRITE_ADDR = 15¶

STOP_SYMBOLIC_BLOCK_EXIT_CONDITION = 16¶

STOP_SYMBOLIC_BLOCK_EXIT_TARGET = 17¶

STOP_UNSUPPORTED_STMT_PUTI = 18¶

STOP_UNSUPPORTED_STMT_STOREG = 19¶

STOP_UNSUPPORTED_STMT_LOADG = 20¶

STOP_UNSUPPORTED_STMT_CAS = 21¶

STOP_UNSUPPORTED_STMT_LLSC = 22¶

STOP_UNSUPPORTED_STMT_DIRTY = 23¶

STOP_UNSUPPORTED_EXPR_GETI = 24¶

STOP_UNSUPPORTED_STMT_UNKNOWN = 25¶

STOP_UNSUPPORTED_EXPR_UNKNOWN = 26¶

STOP_UNKNOWN_MEMORY_WRITE_SIZE = 27¶

STOP_SYSCALL_ARM = 28¶

STOP_X86_CPUID = 29¶

stop_message = {0: 'Reached maximum steps', 1: 'Hit a stop point', 2: 'Something wrong', 3: 'Unable to handle syscall', 4: 'Fetching empty page', 5: 'Accessing zero page', 6: 'Failed to start', 7: 'Permissions or mapping error', 8: 'Divide by zero', 9: 'Instruction decoding error', 10: 'hlt instruction encountered', 11: 'Failed to lift block to VEX', 12: 'Instruction pointer became symbolic', 13: 'Attempted to read from symbolic address', 14: 'Attempted to read symbolic data from memory but symbolic tracking is disabled', 15: 'Attempted to write to symbolic address', 16: "Guard condition of block's exit statement is symbolic", 17: 'Target of default exit of block is symbolic', 18: 'Symbolic taint propagation for PutI statement not yet supported', 19: 'Symbolic taint propagation for StoreG statement not yet supported', 20: 'Symbolic taint propagation for LoadG statement not yet supported', 21: 'Symbolic taint propagation for CAS statement not yet supported', 22: 'Symbolic taint propagation for LLSC statement not yet supported', 23: 'Symbolic taint propagation for Dirty statement not yet supported', 24: 'Symbolic taint propagation for GetI expression not yet supported', 25: 'Canoo propagate symbolic taint for unsupported VEX statement type', 26: 'Cannot propagate symbolic taint for unsupported VEX expression', 27: 'Unicorn failed to determine size of memory write', 28: 'ARM syscalls are currently not supported by SimEngineUnicorn', 29: 'Block executes cpuid which should be handled in VEX engine'}¶

symbolic_stop_reasons = {12, 13, 14, 15, 16, 17, 28, 29}¶

unsupported_reasons = {11, 18, 19, 20, 21, 22, 23, 25, 26}¶

static name_stop(num)¶

static get_stop_msg(stop_reason)¶

class angr.state_plugins.unicorn_engine.StopDetails¶

Bases: Structure

struct stop_details_t

block_addr: Structure/Union member

block_size: Structure/Union member

stop_reason: Structure/Union member

class angr.state_plugins.unicorn_engine.SimOSEnum¶

Bases: object

enum simos_t

SIMOS_CGC = 0¶

SIMOS_LINUX = 1¶

SIMOS_OTHER = 2¶

exception angr.state_plugins.unicorn_engine.MemoryMappingError¶: Bases: Exception

exception angr.state_plugins.unicorn_engine.AccessingZeroPageError¶: Bases: MemoryMappingError

exception angr.state_plugins.unicorn_engine.FetchingZeroPageError¶: Bases: MemoryMappingError

exception angr.state_plugins.unicorn_engine.SegfaultError¶: Bases: MemoryMappingError

exception angr.state_plugins.unicorn_engine.MixedPermissonsError¶: Bases: MemoryMappingError

class angr.state_plugins.unicorn_engine.AggressiveConcretizationAnnotation¶

Bases: SimplificationAvoidanceAnnotation

__init__(addr)¶

class angr.state_plugins.unicorn_engine.Uniwrapper¶

Bases: object

Wrapper around unicorn.Uc that tracks mapped memory and hooks.

__init__(arch, cache_key, thumb=False)¶

hook_add(htype, callback, user_data=None, begin=1, end=0, aux1=0, aux2=0)¶

hook_del(h)¶

mem_map(addr, size, perms=7)¶

mem_map_ptr(addr, size, perms, ptr)¶

mem_unmap(addr, size)¶

mem_reset()¶

hook_reset()¶

reset()¶

class angr.state_plugins.unicorn_engine.Unicorn¶

Bases: SimStatePlugin

setup the unicorn engine for a state

UC_CONFIG = {}¶

__init__(syscall_hooks=None, cache_key=None, unicount=None, symbolic_var_counts=None, symbolic_inst_counts=None, concretized_asts=None, always_concretize=None, never_concretize=None, concretize_at=None, concretization_threshold_memory=None, concretization_threshold_registers=None, concretization_threshold_instruction=None, cooldown_symbolic_stop=2, cooldown_unsupported_stop=2, cooldown_nonunicorn_blocks=100, cooldown_stop_point=1, max_steps=1000000)¶: Initializes the Unicorn plugin for angr. This plugin handles communication with UnicornEngine.

property uc¶

static delete_uc()¶

set_last_block_details(details)¶

set_stops(stop_points)¶

set_tracking(track_bbls, track_stack)¶

hook()¶

uncache_region(addr, length)¶

clear_page_cache()¶

setup(syscall_data=None, fd_bytes=None)¶

start(step=None)¶

get_recent_bbl_addrs()¶

get_stop_details()¶

finish(succ_state)¶

destroy(succ_state)¶

set_regs()¶: setting unicorn registers

setup_flags()¶

setup_gdt(fs, gs)¶

read_msr(msr=3221225728)¶

write_msr(val, msr=3221225728)¶

get_regs(succ_state)¶: loading registers from unicorn. If succ_state is not None, update it instead of self.state. Needed when handling symbolic exits in native interface